Five Pillars of Transparent Data Security

Data security practices that disrupt workflow place an undue burden on users and administrators. The best data security tools work in the background—transparently—and provide automated, non-disruptive protection of assets and seamless authentication of network users. Similarly, administrative tools should provide consistent support for corporate data security policies and minimize the need for manual oversight or time-consuming, hands-on procedures.

Implementing data security solutions that are universally applied across the organization is also important for regulatory compliance. This aspect of transparency focuses on eliminating device and platform differences as obstacles to deploying universal security protection. Through this model, the widest possible range of devices, hardware platforms, and operating systems operate within the security umbrella, under a single point of control. In other words, device characteristics and hardware platforms become transparent—manageable within the overall framework.

WinMagic recognizes five essential pillars of transparent data security, as outlined in this paper.

Pillar #1:Support Transparency on Multiple Levels

The individual characteristics of computing devices, hardware platforms, and operating systems should all be as transparent as possible within the data security framework.

To this end, an effective data-security solution should:

Include all commonly used hardware platforms under one administrative framework.

Accommodate the typical computing devices in use by staff members, whether company property or brought from home.

Make encryption part of routine security policy throughout the organization, for all forms of communication and data storage.

Contiguous Security Coverage

Using multiple security solutions to accommodate different devices and operating systems in use within the organization is inefficient and prone to error. Without a means to oversee the “big picture,” gaps and vulnerabilities in security can arise. The way to avoid gaps in the visibility of security coverage is to place the full range of organizational assets—desktop machines, storage devices, mobile computing devices, USB flash drives and individual files and folders—under central console control. In this way, encryption can be applied and verified from the top level to the lowest level. Similarly, centralized authentication techniques can monitor and log network accesses, a necessity for meeting regulatory mandates.

Security Vulnerabilities of Devices Brought from Home

Seamless data security—from one end of the corporate network to the vast array of intelligent computing devices that populate it—must encompass both equipment assigned to staff members, as well as any devices brought from home that have the potential to connect to network resources. With the right solution, the same level of transparency that simplifies authentication and encryption on desktop machines and laptops can be applied to smartphones and tablets. If these devices are left out of the mix, it can create security vulnerabilities and headaches for administrators.

In an interview with Network World1, Richard Clark, former White House cybersecurity advisor, commented:

This is the newest and largest vulnerability in corporate America now. Employees say they must have these devices and the corporations have given in under pressure. That's the same corporation that put millions of dollars into firewalls and intrusion-prevention systems. But the CIOs are knowingly authorizing another way into the network. Maybe they've been told it's not secure, and have done it anyway. There are thousands of apps for these mobile devices. Are they secure? What's in the Apple store or Droid store or elsewhere? No one has looked. If there is a corporate device, the corporation has a responsibility to its shareholders to ensure that everything that is allowed there is secured. They should insist they must vet the application, or have the provider vet the application.

These types of devices and the information they contain need to be handled as part of the best practices and security policies in force within the enterprise so that they don’t become a source of data breaches or security leaks.

Encryption is Central to IT Strategies

Encryption deployment is on the rise globally, driven by IT strategic issues, compliance requirements, and the corporate impact of data breaches. The release of the 2011 Global Encryption Trends Study by the Ponemon Institute indicated that encryption is increasingly viewed as a strategic issue by corporate leadership and that it affects more than just IT practices.

...regardless of an organization’s location, it is clear that encryption and key management are becoming more widely deployed and increasingly seen as strategic issues. Encryption usage has emerged as a clear indicator of a strong security posture with organizations that deploy encryption being more aware of threats to sensitive and confidential information and making a greater investment in IT security.

As also noted in the study, compliance is the top motivating factor for using encryption in the US, UK, and France. Making encryption automatic and routine is an important step in ensuring compliance.

Pillar #2:Automate Vital Security Processes

If users can’t disable security protections and key processes are automated—minimizing manual intervention—this can reduce compliance risks and lower the total cost of ownership (TCO) of a data security solution.

The basic guidelines are:

Automate those operations that are necessary to asset protection so that users (and administrators) don’t need to perform tasks manually

Integrate authentication mechanisms deeply into the data security umbrella by tapping into existing mechanisms, such as directory services.

Rely on hardware mechanisms whenever possible, such as Opal-compliant, self-encrypting drives (SEDs), to increase performance and reliability of security processes.

Manual provisioning and enforcement of these processes represents a substantial workload for IT staff members, particularly if permissions and access rights are being assigned across hundreds or thousands of servers involving tens of thousands of employees. If IT cannot track the actions of specific users to an account (for example, if privileged passwords are shared), it makes it extremely difficult to prove protections were adequate during a compliance audit.

Data security solutions that are both automated and operable across a heterogeneous computing environment preserve data protections while providing the necessary monitoring to demonstrate regulatory compliance.

Improved Authentication Mechanisms

Positive authentication is a vital factor in protecting sensitive assets, both in terms of granting access to encryption keys that unlock data and controlling entry to network resources. Depending on the techniques used to implement authentication, the process—if not effectively automated—can be time-consuming, non-productive, and disruptive to everyday workflow.

Pre-boot authentication solves a key problem. If the authentication mechanism takes place before the operating system loads, it can be handled in a uniform, consistent manner, regardless of device type or operating system. Pre-boot network authentication can take this process a step further, by detecting authentication mismatches against corporate directory services.

Hardware-based Encryption

One of the most significant technology advances in recent years has been the release of SEDs, based on the Opal standard. Encryption engines embedded in the drive hardware perform encryption and decryption transparently, outside of the operating system, whenever the drive is operating. When power is removed, the encrypted data is locked and secured, so drive theft does not cause a data breach issue.

Drive retirement at end of life is also faster, less expensive, and less error prone, since sensitive data can be instantly erased, removing security concerns.

In an interview with Computer Weekly3, Eric Ouellet, research vice president at Gartner, commented:

Businesses should consider self-encrypting drives (SEDs) for new installations that hold significant volumes of data. The most effective encryption systems are those that are transparent to the user and require little or no interaction with users or administrators.

Pillar #3: Administer Security from a Central Point

Transparency as it applies to data security administration means that all assets and devices on the network are visible and manageable within a single-console view—no devices escape scrutiny outside of this framework.

The basic tenets of this approach are:

Make policies, password requirements, and encryption manageable from a single point of control across the entire IT infrastructure.

Control user access to resources in a consistent, verifiable way to comply with regulatory mandates.

Ensure that user-owned devices accessing the network are administered with the same security policies that apply throughout the organization.

Centralized Data Security Administration

Modern IT environments commonly include a diverse array of computing devices and operating systems, commonly featuring Mac, Windows, Android, and Linux machines. The need to accommodate diverse computing devices running on multiple operating systems creates a security challenge that can tax administrator capabilities and, if not handled correctly, can lead to cumbersome, fragmented security fixes. Piecemeal solutions (with a separate security approach for each platform) are generally inefficient and often fraught with risks because they are so difficult to administer and lack a central vantage point to monitor and assess real-time security status. Fragmented approaches also make it difficult to demonstrate compliance with data privacy regulations or to perform consistent audits.

Controlled User Access

One means of simplifying the authentication of users accessing corporate resources in the cloud is to integrate the authentication process into the directory server in use within the corporation, such as Microsoft Active Directory, Novell E-Directory, or OpenLDAP. Linking authentication to directory services lets the real-time validation process be governed by user information stored (and modified) within the directory server listings.

Wide-Ranging Device Support

A data security solution designed to handle a diverse range of device types reduces the complexity of secure device management and encryption. The type of device then becomes a transparent issue to the administrator because all devices can be effectively managed within the secure network.

Pillar #4: Adapt Security Policies to Include Emerging Technologies

Technologies change rapidly and IT professionals need to stay on top of the latest developments to ensure that data security policies in use are still effective.

Incorporate new technologies into the overall security framework as they become commonplace, so they can be controlled and centrally administered (including new mobile devices, cloud computing services, storage devices, and so on).

Re-evaluate security policies on a regular basis to maintain a high level of transparency and compliance.

Emerging Technologies

The pace of technology change demands that IT professionals reassess the state of the industry on a regular basis to ensure that existing protections haven’t been circumvented by new technologies that have come into widespread use. Two good examples of this are:

Increased reliance on cloud computing

Employees bringing smartphones and tablets to work

If ignored by IT, both cloud computing and unsecured mobile devices present a substantial risk to corporate data security. For example, a study by the Ponemon Institute, Security of Cloud Computing Users4, indicated that over half of US organizations have adopted cloud services, but 47 percent of survey respondents believed there had not been security evaluations prior to deployment. Even more surprising, 50 percent of the respondents in the US admitted that their organization was unaware of the full range of cloud services deployed. The potential for serious risk under such circumstances is evident.

Vigilant Security Practices

As IT professionals become aware of emerging technologies that are directly or indirectly populating their infrastructure, data security policies should be amended to eliminate any possible avenues for data breaches. Once again, this can be done very effectively with administrative tools that provide a network-wide view of the devices and resources in use.

Regular Re-evaluation

Periodic re-evaluation of the data security practices in use should be regularly scheduled and assessments for new technologies should consider factors such as:

Are all workspaces secured for storing, syncing, and sharing files?

Is there centralized administrative control over user accounts and files?

Does the capability exist to block unsecure services to enforce best practices?

Can the data on a device or in the cloud be wiped remotely?

Can individual devices be included in monitoring, reporting, and auditing?

What types of data can be accessed or stored on a device or service and what level of encryption is required?

A dialogue among members of the company’s security team is a good starting point for determining the ways in which a mix of outside devices affects the overall IT infrastructure.

Pillar #5: Adopt an Operating System Agnostic Approach

Creating a security framework where key mechanisms are linked to a specific operating system leads to fragmented management and disruptions to productivity.

To adopt an operating system agnostic approach:

Isolate security mechanisms, such as authentication, from the operating system to provide better security and broader system support.

Use data security techniques that take place even before the operating system boots to eliminate potential vulnerabilities and block illicit network access.

OS-independent Security Mechanisms

The administrator’s view of the network’s data-security infrastructure should span operating systems in use and provide precise management and auditing of encryption and authentication operations. For example, if authentication to the corporate network or access to encryption keys for a laptop takes place following the computer boot process, the operating system itself becomes an integral part of the data security process. Avoid data-protection mechanisms that run as applications within the operating system; by definition these must be unique for Mac OS X, Windows, Linux, and Solaris systems.

Advanced data security technologies that conduct security operations independent of the operating system in use prove easier to integrate into a wide-ranging network environment. Examples of this are: Opal-compliant drives, which perform encryption and decryption tasks within the drive hardware (independent of the operating system); and pre-boot authentication, which authenticates users prior to the operating system boot process starting.

Security at a Pre-Boot Level

To avoid operating system involvement, security routines can be run as an extension of the BIOS or boot firmware. In instances such as pre-boot authentication, the operating system is prevented from loading unless the correct credentials have been entered during boot. This technique can effectively lock the computer and provides a trusted authentication layer. By having a trusted layer in place, the potential increases that encrypted data will be unlocked automatically when a hacker or thief defeats a weak operating system password.

Pre-boot security operations can be deployed to ensure continuous data protection on desktop machines, mobile computing devices, laptops, removable media, and portable storage devices. This level of protection is an important component of privacy regulations to help avoid data breaches.

WinMagic Solutions and New Technologies

As a leader in the data security sector, WinMagic evaluates the latest emerging technologies and integrates those that prove effective into solutions that offer unparalleled enterprise data protection.

This includes two recently developed technologies that are changing face of the data security market (and elevating the transparency of secure practices).

SEDs based on the Opal standard

Pre-boot network-based authentication

Each of these technologies has been integrated into the latest version of WinMagic’s SecureDoc solution. Pre-boot network-based authentication, now a part of PBConnex, gives administrators a direct means to control network access at the pre-boot stage using information provided by the directory services server.

Opal Diminishes Disruption

As one of the first data security companies to provide full-featured support for the Opal standard, WinMagic makes it easy for enterprises to take advantage of the benefits of SEDs and to include them in IT infrastructures. Opal offers a revolutionary approach to encryption, with many benefits and a sleek, streamlined, hardware-based approach that makes Full Disk Encryption (FDE) much less disruptive. The built-in encryption engine secures data as it is stored instead of requiring a lengthy initial encryption pass.

Data encryption keys are stored on the drives, bolstering security and making key management simpler. If a drive is to be put out of service or assigned to a new user, a crypto erase feature renders existing data unintelligible, securing wiping all information.

SEDs, including both solid-state drives and hard disk drives, can be centrally managed under WinMagic’s SecureDoc. Ease of use and simplified management are key benefits. A study conducted by Trusted Strategies5 determined that an organization that deploys 1,000 SEDs (compared to software-encrypted drives) would save USD 200,000, as compared to the operating costs of software-encrypted drives over the full drive lifespan.

Pre-boot Authentication Strengthens Security

As implemented within SecureDoc, the security server performs pre-boot authentication, which eliminates the need for the operating system to initially communicate with the server. This operating system agnostic approach is one of the reasons that WinMagic solutions work well in very complex network environments that feature multiple platforms and multiple operating systems. Everything necessary to authenticate the user and check the local integrity of the pre-boot environment can be accomplished before even loading the operating system.

To strengthen security beyond a simple password at the pre-boot stage, SecureDoc supports a number of different user authentication mechanisms, including a variety of tokens and biometrics. Trusted Platform Module (TPM) credentials can also be ascertained at this time. The SecureDoc model ensures that one size fits all operating systems, accommodating Windows, Mac OS X, Linux, Solaris, Android, and other OSs with the same rigorous level of data protection.

More Transparency with Pre-Boot Network Authentication

The process of pre-boot network authentication adds a layer of protection to data privacy, ensuring that encrypted devices are authenticated to the network before loading the operating system. Credentials are sent across the LAN or WAN by WinMagic’s PBConnex when the user enters the Active Directory sign-on (or other directory services passcode). Then, SecureDoc SDConnex validates the entry, which allows the system startup to proceed. Administrator setup is minimal: it just requires entering the user information into Active Directory.

Users can be added or prevented from having device access without any involvement of the SCS administrator and encryption can be managed remotely. IT departments gain additional security. End users have a simpler, more transparent means to access information through a single password log-in.

The benefits include broad support for Linux-based operating systems. Because this approach is operating system agnostic, there are fewer concerns about undergoing technical evaluations and keeping up-to-date with frequent kernel revisions. In environments where a variety of operating systems are in use, SecureDoc OSA reduces the complexity of management tasks and helps reduce IT costs.

Enterprise-Class Data Security Administration

SES presides over complex combinations of network devices and manages the full range of SecureDoc-encrypted laptops, desktop machines, mobile devices, and removable storage devices. The central console provides single-point control over the individual components of SecureDoc, minimizing disruption across the enterprise and providing the visibility and tracking essential for meeting regulatory requirements.

Authentication of users accessing a protected network is seamlessly handled by PBConnex. PBConnex operates in the background. It uses Active Directory (or other directory services such as LDAP) to ensure that before users can boot a computing device and gain access to the network, they must be present in the current directory and receive authentication. As mentioned earlier, recent technologies such as cloud computing services have caught many corporate security groups by surprise. Encrypting data stored in the cloud is as important as encrypting it on a laptop or removable storage device. Encryption for files and folders stored in the cloud will be implemented into an upcoming release of SecureDoc. This feature protects data stored in the cloud with strong encryption equivalent to the protection provided for all other computing and storage devices on a network managed by SES.

WinMagic implements data protection measures across a consistent framework that allows the full range of computing devices and cloud services to be brought under a single, central management umbrella. The administrative tools that make it easy to oversee encryption and manage keys also provide a central point for auditing and monitoring network activities—an essential element for ensuring regulatory compliance.

Elevating Transparency to an Art Form

WinMagic engineers its entire product line to integrate seamlessly into the IT infrastructure, simplifying administrative tasks and user involvement while delivering the highest levels of data protection through encryption and robust authentication. WinMagic solutions are designed to manage encryption across the entire enterprise.

If security practices are automatic and deeply embedded into the infrastructure—making them as transparent as possible to administrators and users—compliance can be ensured and corporate assets can be protected against potential vulnerabilities that arise in complex networks with multiple devices and platforms.

WinMagic continues to advance security technologies and create solutions that make security practices as transparent and painless as possible for everyone on the network.

About WinMagic

WinMagic Inc. provides the world’s most secure, manageable and easy-to–use data security solutions. WinMagic’s SecureDoc is a comprehensive encryption and security management product that can manage data security across the enterprise. By encrypting entire disks, specific files or folders locally or on the network as well as mobile devices and removable media, SecureDoc secures your data wherever it is stored, providing enterprise grade data security policy and key management across all operating systems such as Windows, Mac OS, Android and Linux. SecureDoc is trusted by thousands of enterprises and government organizations worldwide. Our solutions help organizations to minimize business risks, meet privacy/regulatory compliance requirements, and protect valuable information assets against unauthorized access. With a full complement of professional and customer services, WinMagic supports over three million SecureDoc users in more than 80 countries.

Want to try our software?

WinMagic provides the world’s most secure, manageable and easy-to-use data
encryption solutions. With a full complement of professional services, WinMagic
supports over 5 million SecureDoc users in approximately 84 countries. We can
protect you too.